With Engineer’s Australia recent call-out on socials for "I Am An Engineer" stories, I was discussing career accomplishments with a team member (non-Engineer) and we were struck by how risk and safety need not be complicated – that the business of risk and safety, especially in assessment terms has been over-complicated.

Two such career accomplishments that really brought this home was my due diligence engineering work on:

• Gateway Bridge in Brisbane
  Our recommendation was rather than implement a complicated IT information system on the bridge for traffic hazards associated with wind, to install a windsock or flag and let the wind literally show its strength and direction in real time. A simple but effective control that ensures no misinformation.
  
• Victorian Regional Rail Level Crossings
  R2A assessed every rail level crossing in the four regional fast rail corridors in Victoria for the requirements to operate faster running trains. The simple conclusion, that I know saved countless lives, was to recommend closing level crossings where possible or provide active crossings (bells and flashing lights) rather than passive level crossings.
  

However, some risk and safety issues are not as simple, like women’s PPE.

The simple solution, to date, has been for women to wear downsized men’s PPE and workwear. But we know this is not the safest solution because women’s body shapes are completely different to men.

My work with Apto PPE has been about designing workwear from a due diligence engineering perspective. This amounted to the need to design from a clean slate (pattern, should I say!) -- designing for women’s body shapes from the outset and not tweaking men's designs.

Not everyone does this in the workwear sector, but as an engineer, I understand the importance of solving problems effectively and So Far As Is Reasonably Practicable (SFAIRP).

By applying the SFAIRP principle, you are really asking the question, if I was in the same position, how would I expect to be treated and what controls would I expect to be in place, which is usually not a complicated question.

And, maybe, my biggest career accomplishment will be the legacy work with R2A and Apto PPE in making a difference to how people think about and conduct safety and due diligence in society.

Find out more about Apto PPE, head to aptoppe.com.au

To speak with Gaye about due diligence and/or Apto PPE, head to the contact page.

One of the odder confusions that R2A happens upon is the proposition that the laws of man are always paramount in all circumstances. It seems to occur most often with persons who work exclusively in the financial sector.

From an engineering perspective, this is just plain wrong.

When dealing with the natural material spacetime universe, the laws of nature are always superior.

After some cogitation, we suspect that this confusion results from the substance of which the financial parties contend, specifically, money.

Sometime ago, over lunch with a banker out of Hong Kong, it was pointed out by R2A that money wasn’t real. The banker expressed surprise and asked what we meant by that. Our reply was that money does not exist in a state of nature. For example, it does not grow on trees. It is a human construct which prosperous societies apparently need to succeed, but of itself, is not directly subject to the laws of nature.

The banker’s response was to ask us not to mention this to anyone.

From this, we conclude that for financial people at least, compliance with legislation and regulations made under it that directly applies to the concept and use of money does demonstrate financial due diligence since the laws of nature are simply not relevant.

However, in the case of safety due diligence, just complying with the laws of man and ignoring the laws of nature will just end in disaster after disaster since the laws of nature are immutable.

To demonstrate safety due diligence requires that the laws of nature are understood and managed in a way that satisfies the laws of man – in that order. 

Remember that, legally, safety risk arises because of insufficient, inadequate or failed precautions, not because something is intrinsically hazardous.

For example, flying in a jet aircraft or getting into low earth orbit is intrinsically hazardous, but with enough precautions, it’s fine.

Leave a critical precaution out or let one fail and you will crash and burn. It’s inevitable.

Much the same has been happening with the Covid-19 crisis as discussed in our blog a few months ago (read article here).

Going directly to a political fix without understanding the science is going to hurt. Getting both right is necessary, but it has to be in the right sequence.

Overall, it’s always been no contest – the laws of nature have always trumped the laws of man, except when dealing with non-natural human constructs like money, debt and suchlike over which the laws of nature have no direct control.

Postscript: Risk, as a concept, has many of the same problems as money. It’s a human judgement about what might happen.

For example, consider the use of the popularly used heat map shown below.

Most users spot-the-dot to characterise the risk associated with a particular issue. But technically it is necessary to know the actual shape of the risk curve for that hazard (the wriggly line going from left to right) which is difficult for real spacetime hazards let alone human judgements of no-material constructs like money.

Strictly it’s also necessary to integrate the area under the risk curve (shown as the darkened area), which is never done. This just goes to show how flexible the concept of risk can be.

A fabulous array of material has emerged on government websites regarding the Coronavirus (COVID-19). Worksafe Australia has published an interesting article on the connection to WHS legislation. This emphasises that employers have a duty of care to eliminate or minimise risk, so far as is reasonably practicable (SFAIRP).

There then follows numerous precautions described in enormous and voluminous detail. In an attempt to cut to the chase, R2A decided to apply our usual precautionary approach to the whole thing to see if we clarify what all this means.

So far as we can tell, the core difficulty with the new coronavirus is that it is very, very contagious. Much more so than ordinary flu.

This means it will escalate with startling speed and easily overwhelm our medical resources unless stringent measures to reduce the infection rate are implemented.

To calculate the infection rate, a probabilistic epidemiological model appears to be being used, conceptually shown above. That is, all the individual transmission pathways may not be fully understood, but an overall probabilistic transmissivity model can be created.

From a statistical viewpoint, if enough people are involved, the predictions should be quite robust and is presumably the basis of our governments’ concerns.

Following the hierarchy of controls, the threat-barrier diagram above identifies the elimination option (a vaccine), the precautions such as isolation and infection control prior to the loss of control point and then the mitigation options including hospitalisation which act after the loss of control point.

However, from the perspective of any single infection, there will likely be a single causal chain of events, which can be interrupted in various ways, particularly following the hierarchy of controls enshrined in the WHS legislation.

Such an understanding enables SFAIRP to be demonstrated. There would be different sequences for different paths; family, hospitals, workplace, team sports and the like.

From an employer /employee perspective, we think the single line threat-barrier diagram shown above is a reasonable first cut.

If you'd like to learn more about our Safety Due Diligence approach, read our White Paper here.

Australian guidance for gas and liquid petroleum pipeline design guidance comes, to a large extent, from Australian Standard 2885. Amongst other things AS2885 Pipelines – Gas and liquid petroleum sets out a method for ensuring these pipelines are designed to be safe.

Like many technical standards, AS2885 provides extensive and detailed instruction on its subject matter. Together, its six sub-titles (AS2885.0 through to AS2885.5) total over 700 pages. AS2885.6:2017 Pipeline Safety Management is currently in draft and will likely increase this number.

In addition, the AS2885 suite refers to dozens of other Australian Standards for specific matters.

In this manner, Standards Australia forms a self-referring ecosystem.

R2A understands that this is done as a matter of policy. There are good technical and business reasons for this approach;

• First, some quality assurance of content and minimising repetition of content, and
• Second, to keep intellectual property and revenue in-house.

However, this hall of mirrors can lead to initially small issues propagating through the ecosystem.

At this point, it is worth asking what a standard actually is.

In short, a standard is a documented assembly of recognised good practice.

What is recognised good practice?

Measures which are demonstrably reasonable by virtue of others spending their resources on them in similar situations. That is, to address similar risks.

But note: the ideas contained in the standard are the good practice, not the standard itself.

And what are standards for?

Standards have a number of aims. Two of the most important being to:

1. Help people to make decisions, and
2. Help people to not make decisions.

That is, standards help people predict and manage the future – people such as engineers, designers, builders, and manufacturers.

When helping people not make decisions, standards provide standard requirements, for example for design parameters. These standards have already made decisions so they don’t need to be made again (for example, the material and strength of a pipe necessary for a certain operating pressure). These are one type of standard.

The other type of standard helps people make decisions. They provide standardised decision-making processes for applications, including asset management, risk management, quality assurance and so on.

Such decision-making processes are not exclusive to Australian Standards.

One of the more important of these is the process to demonstrate due diligence in decision-making – that is that all reasonable steps were taken to prevent adverse outcomes.

This process is of particular relevance to engineers, designers, builders, manufacturers etc., as adverse events can often result in safety consequences.

A diligent safety decision-making process involves,:

• First, an argument as to why no credible, critical issues have been overlooked,
• Second, identification of all practicable measures that may be implemented to address identified issues,
• Third, determination of which of these measures are reasonable, and
• Finally, implementation of the reasonable measures.

This addresses the legal obligations of engineers etc. under Australian work health and safety legislation.

Standards fit within this due diligence process as examples of recognised good practice.

They help identify practicable options (the second step) and the help in determining the reasonableness of these measures for the particular issues at hand. Noting the two types of standards above, these measures can be physical or process-based (e.g. decision-making processes).

Each type of standard provides valuable guidance to those referring to it. However the combination of the self-referring standards ecosystem and the two types of standards leads to some perhaps unintended consequences.

Some of these arise in AS2885.

One of the main goals of AS2885 is the safe operation of pipelines containing gas or liquid petroleum; the draft AS2885:2017 presents the standard's latest thinking.

As part of this it sets out the following process.

1. Determine if a particular safety threat to a pipeline is credible.
2. Then, implement some combination of physical and procedural controls.
3. Finally, look at the acceptability of the residual risk as per the process set out in AS31000, the risk management standard, using a risk matrix provided in AS2885.

If the risk is not acceptable, apply more controls until it is and then move on with the project. (See e.g. draft AS2885.6:2017 Appendix B Figures B1 Pipeline Safety Management Process Flowchart and B2 Whole of Life Pipeline Safety Management.)

But compare this to the decision-making process outlined above, the one needed to meet WHS legislation requirements. It is clear that this process has been hijacked at some point – specifically at the point of deciding how safe is safe enough to proceed.

In the WHS-based process, this decision is made when there are no further reasonable control options to implement. In the AS2885 process the decision is made when enough controls are in place that a specified target level of risk is no longer exceeded.

The latter process is problematic when viewed in hindsight. For example, when viewed by a court after a safety incident.

In hindsight the courts (and society) actually don’t care about the level of risk prior to an event, much less whether it met any pre-determined subjective criteria.

They only care whether there were any control options that weren’t in place that reasonably ought to have been.

‘Reasonably’ in this context involves consideration of the magnitude of the risk, and the expense and difficulty of implementing the control options, as well as any competing responsibilities the responsible party may have.

The AS2885 risk sign-off process does not adequately address this. (To read more about the philosophical differences in the due diligence vs. acceptable risk approaches, see here.)

To take an extreme example, a literal reading of the AS2885.6 process implies that it is satisfactory to sign-off on a risk presenting a low but credible chance of a person receiving life-threatening injuries by putting a management plan in place, without testing for any further reasonable precautions.[1]

In this way AS2885 moves away from simply presenting recognised good practice design decisions as part of a diligent decision-making process and, instead, hijacks the decision-making process itself.

In doing so, it mixes recognised good practice design measures (i.e. reasonable decisions already made) with standardised decision-making processes (i.e. the AS31000 risk management approach) in a manner that does not satisfy the requirements of work health and safety legislation. The draft AS2885.6:2017 appears to realise this, noting that “it is not intended that a low or negligible risk rank means that further risk reduction is unnecessary”.

And, of course, people generally don’t behave quite like this when confronted with design safety risks.

If they understand the risk they are facing they usually put precautions in place until they feel comfortable that a credible, critical risk won’t happen on their watch, regardless of that risk’s ‘acceptability’.

That is, they follow the diligent decision-making process (albeit informally).

But, in that case, they are not actually following the standard.

This raises the question:

Is the risk decision-making element of AS2885 recognised good practice?

Our experience suggests it is not, and that while the good practice elements of AS2885 are valuable and must be considered in pipeline design, AS2885’s risk decision-making process should not.

[1] AS2885.6 Section 5: “... the risk associated with a threat is deemed ALARP if ... the residual risk is assessed to be Low or Negligible”

Consequences (Section 3 Table F1): Severe - “Injury or illness requiring hospital treatment”. Major: “One or two fatalities; or several people with life-threatening injuries”. So one person with life-threatening injuries = ‘Severe’?

Likelihood (Section 3 Table 3.2): “Credible”, but “Not anticipated for this pipeline at this location”,

Risk level (Section 3 Table 3.3):  “Low”.

Required action (Section 3 Table 3.4):                 “Determine the management plan for the threat to prevent occurrence and to monitor changes that could affect the classification”.

On 19 January 2017, the Minister for Energy, Environment and Climate Change announced an independent review of Victoria’s Electricity Network Safety Framework, to be chaired by Dr Paul Grimes. On 5 May 2017, the Minister announced an expansion to the review's terms of reference to include Victoria’s gas network safety framework.It has been more than a decade since the current safety framework has been in place and it is timely to review the existing arrangements to ensure they adequately reflect the needs of the community in an increasingly complex environment.The review will include extensive consultation with industry and the community to inform the development of a final report and recommendations.Consistent with the expanded terms of reference, the Review of Victoria’s Electricity and Gas Network Safety Framework examines the safety framework applicable to the electricity and gas networks in Victoria and assesses its effectiveness in achieving desired safety outcomes. It will review the design and adequacy of the safety regulatory obligations, incentives and other arrangements governing the safety of Victoria’s electricity and gas networks.The existing Secretariat established within the Department of Environment, Land, Water and Planning to support the independent reviewer, Dr Paul Grimes, has been additionally resourced.Submissions for the Issues Paper on the review of Victoria’s electricity network safety framework closed on Friday 28 April. Along with the following organisations, R2A welcomed the opportunity to respond to the independent review.

• AER
• AusNet Services
• Attentis Technology
• CitiPower/Powercor - Submission 1
• CitiPower/Powercor - Submission 2
• Energy and Water Ombudsman of Victoria
• Jemena
• Neca
• r2a
• United Energy
• WorkSafe

Our response focuses on the following particular aspects of the review:

• The objectives of the safety framework in Victoria and an assessment of its effectiveness in achieving safety outcomes.
• The design and adequacy of the safety regulatory obligations (including safety cases and the Electricity Safety Management Scheme), incentives and other arrangements governing energy network businesses and any opportunities for improvement.

R2A’s overall perception is that electrical networks in Australia and New Zealand operate in an evolving and interesting regulatory space with overlapping financial, safety and security of supply issues. There is also a plethora of sometimes contradictory standards. Wending a path that simultaneously satisfies all of the competing issues is complex and fraught with methodological superstition. This undoubtedly creates substantial unnecessary expense and waste.From the viewpoint of an effective safety framework, the key issues we believe are causing the greatest angst at the moment are as follows:

1. Competition v Cooperation PolicyThe mantra of competition policy is being considered in isolation from the rest of the competing requirements for the safe (and reliable) delivery of electrical energy. This includes both security of supply and safety generally, and especially in Victoria major bushfires started by the electricity network. For example, high reliability requires redundancy whereas commercial efficiency is typically achieved by running without headroom. The current manifestation of economic competition policy does not deal effectively with disaster scenarios (where cooperation is essential) especially for low likelihood, high consequence events, such as black or ash bushfire days which occur about once every 25 years in Victoria.
2. Risk Management Standard v Occupational Health and Safety LegislationThe obligations of Victoria’s Occupational Health and Safety (OHS) legislation conflict with the Risk Management Standard (ISO31000) which most corporates and governments mandate. This is creating very serious confusion, particularly with the understanding of economic regulators.The risk management standard tries to manage ‘risk’ to ‘acceptable’ levels, whereas the 2004 Victorian OHS Act (and now model WHS legislation) ensures that everyone is entitled to the same minimum level of protection (but not necessarily the same level of risk).
3. Network Standards with Internal ContradictionsStandards with internal contradictions like AS 5577:2013 – Electrical network safety management systems and the EG(0) Power System Earthing Guide create enormous tensions. Specifically, they advocate using target risk criteria such as ALARP, below which risks are deemed ‘tolerable’ and do not require further action, a position in conflict with the health and safety legislation passed by all Australian parliaments and decisions of the High Court of Australia.

These key points are expanded in the body of the submission together with a possible way forward. See the full response here.

Gaye recently attended the second meeting of the Powerline Bushfire Safety Committee (PBSC) at Energy Safe Victoria (ESV).As set out in the Committee Charter, the purpose of the PBSC is to provide the Director of Energy Safety (DoES) with comprehensive expert advice to support ESV in its administration of the Electricity Safety (Bushfire Mitigation) Amendment Regulations 2016 (the regulations) and any advice ESV may, in turn, provide government on further policy changes that may be required in the light of initial network experience implementing the regulations.In addressing its purpose, the PBSC will have regard to the regulations, the regulatory impact statement (RIS) including the target fire risk reduction benefits set out herein, and the statement of reasons (SoR).The objective of the PBSC is to provide transparent, independent oversight and advice to ESV in undertaking its regulatory responsibilities to hold the distribution business accountable for the delivery of the fire reduction benefits implicit in the regulations.Gaye’s role is to provide risk management and best practice advice. All documents relating to the Committee’s activities can be found on the ESV website.

When it comes to dealing with a known safety hazard, everyone is entitled to the same minimum level of protection.

This is the equity argument. It arises from Australia’s work health and safety legislation. It seems elementary. It is elementary. It has also, with the best intentions, been pushed aside by engineers for many years.

The 1974 UK Health and Safety at Work Act introduced the concept of “so far as is reasonably practicable” (SFAIRP) as a qualifier for duties set out in the Act. These duties required employers (and others) to ensure the health, safety and welfare of persons at work.

The SFAIRP principle, as it is now known, drew on the common law test of ‘reasonableness’ used in determining claims of negligence with regard to safety. This test was (and continues to be) developed over a long period of time through case law. In essence, it asks what a reasonable person would have done to address the situation in question.

One key finding elucidating the test is the UK’s Donoghue v. Stevenson (1932), also known as ‘the snail in the bottle’ case, which looked at what ‘proximity’ meant when considering who could be adversely affected by one’s actions.

Another is the UK’s Edwards v. National Coal Board (1949), in which the factors in determining what is ‘reasonably practicable’ were found to include the significance of the risk, and the time, difficulty and expense of potential precautions to address it.

These and other findings form a living, evolving understanding of what should be considered when determining the actions a reasonable person would take with regard to safety. They underpin the implementation of the SFAIRP principle in legislation.

And although in 1986 Australia and the UK formally severed all ties between their respective legislature and judiciary, both the High Court of Australia and Australia’s state and federal parliaments have retained and evolved the concepts of ‘reasonably practicable’ and SFAIRP in our unique context.

In determining what is ‘reasonable’ the Courts have the benefit of hindsight. The facts are present (though their meaning may be argued). Legislation, on the other hand, looks forward. It sets out what must be done, which if it is not done, will be considered an offence.

Legislating (i.e. laying down rules for the future) with regard to safety is difficult in this respect. The ways in which people can be damaged are essentially infinite. That people should try not to damage each other is universally accepted, but how could a universal moral principle against an infinite set of potential events be addressed in legislation?

Obviously not through prescription of specific safety measures (although this has been attempted in severely constrained contexts, for instance, specific tasks in particular industries). And given the complex and coincident factors involved in many safety incidents, how could responsibility for preventing this damage be assigned?

The most appropriate way to address this in legislation has been found, in different places and at different times, to be to invoke the test of reasonableness. That is, to qualify legislated duties for people to not damage each other with “so far as is reasonably practicable.”

This use of the SFAIRP principle in health and safety legislation, as far as it goes, has been successful. It has provided a clear and objective test, based on a long and evolving history of case law, for the judiciary to determine, after an event, if someone did what they reasonably ought to have done before the event to avoid the subsequent damage suffered by someone else. With the benefit of hindsight the Courts enjoy, this is generally fairly straightforward.

However, determining what is reasonable without this benefit - prior to an event - is more difficult. How should a person determine what is reasonable to address the (essentially infinite) ways in which their actions may damage others? And how could this be demonstrated to a court after an event?

Engineers, as a group, constantly make decisions affecting people’s safety. We do this in design, construction, operation, maintenance, and emergency situations. This significant responsibility is well understood, and safety considerations are paramount in any engineering activity. We want to make sure our engineering activities are safe. We want to make sure nothing goes wrong. And, if it does, we want to be able to explain ourselves. In short, we want to do it right. And if it goes wrong, we want to have an argument as to why we did all that was reasonable.

Some key elements of a defensible argument for reasonableness quickly present themselves. Such an argument should be systematic, not haphazard. It should, as far as possible, be objective. And through these considerations it should demonstrate equity, in that people are not unreasonably exposed to potential damage, or risk.

Engineers, being engineers, looked at these elements and thought: maths.

In 1988 the UK Health and Safety Executive (HSE) were at the forefront of this thinking. In the report of an extensive public inquiry into the proposed construction of the Sizewell B nuclear power plant the inquiry’s author, Sir Frank Layfield, made the recommendation that the HSE, as the UK’s statutory health and safety body, “should formulate and publish guidance on the tolerable levels of individual and social risk to workers and the public from nuclear power stations.”

This was a new approach to demonstrating equity with regards to exposure to risk. The HSE, in their 1988 study The Tolerability of Risk from Nuclear Power Stations, explored the concept. This review looked at what equity of risk exposure meant, how it might be demonstrated, and, critically, how mathematical and approaches could be used for this. It introduced the premise that everyone in (UK) society was constantly exposed to a ‘background’ level of risk which they were, if not comfortable with, at least willing to tolerate. This background risk was the accumulation of many varied sources, such as driving, work activities, house fires, lightning, and so on.

The HSE put forward the view that, firstly, there is a level of risk exposure individuals and society consider intolerable. Secondly, the HSE posited that there is a level of risk exposure that individuals and society consider broadly acceptable. Between these two limits, the HSE suggested that individuals and society would tolerate risk exposure, but would prefer for it to be lowered.

After identifying probabilities of fatality for a range of potential incidents, the HSE suggested boundaries between these ‘intolerable’, ‘tolerable’ and ‘broadly acceptable’ zones, the upper being risk of fatality of one in 10,000, and the lower being risk of fatality of one in 1,000,000.

The process of considering risk exposure and attempting to bring it within the tolerable or broadly acceptable zones was defined as reducing risk “as low as reasonably practicable,” or ALARP. This could be demonstrated through assessments of risk that showed that the numerical probability and/or consequence (i.e. resultant fatalities) of adverse events were lower than one or both of these limits. If these limits were not met, measures should be put in place until they were. And thus reducing risk ALARP would be demonstrated.

The ALARP approach spread quickly, with many new maths- and physics-based techniques being developed to better understand the probabilistic chains of potential events that could lead to different safety impacts. Over the subsequent 25 years, it expanded outside the safety domain.

Standards were developed using the ALARP approach as a basis, notably Australian Standard 4360, the principles of which were eventually brought into the international risk management standard ISO 31000 in 2009. This advocated the use of risk tolerability criteria for qualitative (i.e. non-mathematical, non-quantitative) risk assessments.

And from there, the ALARP approach spread through corporate governance, and became essentially synonymous with risk assessment as a whole, at least in Australia and the UK. It was held up as the best way to demonstrate that, if a safety risk or other undesired event manifested, decisions made prior to the event were reasonable.

But all was not well.

Consider again the characteristics of a defensible argument. It should be systematic, objective and demonstrate equity, in that people are not unreasonably exposed to risk.

Engineers have, by adopting the ALARP approach, attempted to build these arguments using maths, on the premise that, firstly, there are objective acceptable and intolerable levels of risk, as demonstrated by individual and societal behaviour, and, secondly, risk exposure within specific contexts (e.g. a workplace) could be quantified to these criteria. There are problems with mathematical rigour, which introduce subjectivity when quantifying risk in this manner, but on the whole these are seen as a deficit in technique rather than philosophy, and are generally considered solvable given enough time and computing power.

However, there is another way of constructing a defensible argument following the characteristics above.

Rather than focusing on the level of risk, the precautionary approach emphasises the level of protection against risk. For safety risks it does this by looking firstly at what precautions are in place in similar scenarios. These ‘recognised good practice’ precautions are held to be reasonable due to their implementation in existing comparable situations. Good practice may also be identified through industry standards, guidelines, codes of practice and so on.

The precautionary approach then looks at other precautionary options and considers on one hand the significance of the risk against, on the other, the difficulty, expense and utility of conduct required to implement and maintain each option. This is a type of cost-benefit assessment.

In practice, this means that if two parties with different resources face the same risk, they may be justified in implementing different precautions, but only if they have first implemented recognised good practice.

Critically, however, good practice is the ideas represented by these industry practices, standard, guidelines and so on, rather than the specific practices or the standards themselves. For example, implementing an inspection regime at a hazardous facility is unequivocally considered to be good practice. The frequency and level of detail required for inspection will vary depending on the facility and its particular context, but having no inspection regime at all is unacceptable.

The precautionary approach provides a formal, systematic, and objective safety decision-making alternative to the ALARP approach.

Equity with regard to safety can be judged in a number of ways. The ALARP approach considers equity of risk exposure. A second approach, generally used in legislation, addresses equity through eliminating exposure to specific hazards for particular groups of people, without regard to probability of occurrence. For example, dangerous goods transport is prohibited for most major Australian road tunnels regardless of how unlikely they may be to actually cause harm. In this manner, road tunnel users are provided equity in that none of them should be exposed to dangerous goods hazards in these tunnels.

The precautionary approach provides a third course. It examines equity inherent in the protection provided against particular hazards. It provides the three key characteristics in building a defensible argument for reasonableness.

It can be approached systematically, by first demonstrating identification and consideration of recognised good practice, and the decisions made for further options.

It is clearly objective, especially after an event; either the precautions were there or they were not.

And it considers equity in that for a known safety hazard, recognised good practice precautions are the absolute minimum that must be provided to protect all people exposed to the risk. Moving forward without good practice precautions in place is considered unacceptable, and would not provide equity to those exposed to the risk. While further precautions may be justified in particular situations, this will depend on the specific context, magnitude of the risk and the resources available.

Oddly enough, this is how the Courts view the world.

The Courts have trouble understanding the ALARP approach, especially in a safety context. From their point of view, once an issue is in front of them something has already gone wrong. Their role is then to objectively judge if a defendant’s (e.g. an engineer’s) decisions leading up to the event were reasonable.

Risk, in terms of likelihood and consequence, is no longer relevant; after an event the likelihood is certain, and the consequences have occurred. The Courts’ approach, in a very real sense, involves just two questions:

Was it reasonable to think this event could happen (and if not, why not)?Was there anything else reasonable that ought to have been in place that would have prevented these consequences?The ALARP approach is predicated on the objective assessment of risk prior to an event. However, after an event, the calculated probability of risk is very obviously called into question. This is especially so as the Courts tend to see low-likelihood high-consequence events.

If, using the ALARP approach, a safety risk was determined to have less than a one in 1,000,000 (i.e. ‘broadly acceptable’) likelihood of occurring, and then occurred shortly afterwards, serious doubt would be cast on the accuracy of the likelihood assessment.

But, more importantly, the Courts don’t take the level of risk into account in this way. It is simply not relevant to them. If a risk is assessed as ‘tolerable’ or ‘broadly acceptable’ the answer to the Courts’ first question above is obviously ‘yes’. The Courts’ second question then looks not at the level of risk in isolation, but at whether further reasonable precautions were available before the event.

‘Reasonable’ in an Australian legal safety context follows the 1949 UK Edwards v. National Coal Board definition and was refined by the High Court of Australia in Wyong Shire Council v. Shirt (1980). It requires that, when deciding on what to do about a safety risk, one must consider the options available and their reasonableness, not the level of risk in isolation. This is the requirement of the SFAIRP principle.

This firstly requires an understanding of whether options are reasonable by virtue of being recognised good practice. The reasonableness of further options can then be judged by considering the benefit (i.e. risk reduction) they could provide, as well as the costs required to implement them. Options judged as unreasonable on this basis may be rejected. It is only in this calculus that the level of risk (considered first in the ALARP approach) is considered by the Courts.

The ALARP approach does not meet this requirement. If a risk is determined to be ‘broadly acceptable’ then, by definition, risk equity is achieved, and no further precautions are required. But this may not satisfy the Courts’ requirement for equity of minimum protection from risk through recognised good practice precautions. It may also result in further reasonable options being dismissed.

The precautionary approach, on the other hand, specifically addresses the way in which the Courts determine if reasonable steps were taken, in a systematic, objective and equity-based manner. From a societal point of view, the Courts are our conscience. Making safety decisions consistent with how our Courts examine them would seem to be a responsible approach to engineering.

The ALARP approach was a good idea that didn’t work. With the best intentions, it was developed to its logical conclusions and was subsequently found to not meet society’s requirements as set forward by the Courts.

The precautionary approach’s recent prominence has been driven by the adoption of the SFAIRP principle in the National Model Work Health and Safety Act, now adopted in most Australian jurisdictions, followed by similar changes through the Rail Safety National Law, the upcoming Heavy Vehicle National Law and others. And as the common law principle of reasonableness finds it way into more legislation the need for an appropriate safety decision-making approach becomes paramount. It is an old idea made new, and it works. It provides equity.

Is there any good reason to not implement it?

This article first appeared on Sourceable.

One of the more interesting philosophical issues to emerge in the early 21st century is the relationship, as determined by our courts, between the precautionary principle as implemented in environmental legislation, and the precautionary approach as articulated in the harmonised Work Health and Safety (WHS) legislation.It is interesting because the intellectual source of these ideas appears entirely different, yet the judicial operationalisation of both approaches appears to align.The environmental precautionary principle is generally recognised as coming from Germany’s democratic socialist movement in the 1930s and gained acceptance through the German Green movement in the '70s and '80s as a formal articulation of the German principle of vorsorge-prinzip, that is, quite literally, precaution-principle. In Australia, Parliaments adopted the formulation derived from the Rio convention in the '80s as expressed by the Intergovernmental Agreement on the Environment (1992) between the Commonwealth and the States. That is:"Where there are threats of serious or irreversible environmental damage, lack of full scientific certainty should not be used as a reason for postponing measures to prevent environmental degradation.In the application of the precautionary principle, public and private decisions should be guided by:(i) careful evaluation to avoid, wherever practicable, serious or irreversible damage to the environment; and(ii) an assessment of the risk-weighted consequences of various options."The precautionary approach in the model WHS legislation appears to be derived as a defence against negligence in the common law. The common law (commencing in the 12th century with King Henry II) is now established from case law as modified progressively by the judiciary over the next 800 years and, in particular with regard to negligence, by the English law lord Lord Atkin in 1932. He favoured the adoption of a manifestation of the ethic of reciprocity or the golden rule of most major philosophies and religions, expressed in the Christian tradition, as: love your neighbour as yourself meaning do unto others as you would have done unto you.In The precautionary principle, the coast and Temwood Holdings, published in the Environmental and Planning Law Journal 2014, Justice Stephen Estcourt summarises the attempts by the judiciary in Australia to operationalise the environmental precautionary principle over the last 20 years and describes the way various decisions depend on earlier decisions and the way in which aspects of possibly unrelated decisions can be ‘borrowed’ (for want of a better term) from other judgments. For example, he observes that Osborn J in Environment East Gippsland vs VicForests (2010) notes the Shirt calculus. Wyong Shire Council v Shirt (1980) considers the liability of the Council for a water skiing accident, which at first glance would not appear to have any obvious connection to an environmental forestry matter. The issue was a question as to on which side of a sign saying ‘deep water,’ the water was actually deep.What the judges appear to be doing is extracting what are perceived relevant principles from other decisions. This has been conceptually noted by others. In their book Understanding the Model Work Health and Safety Act, Barry Sherriff and Michael Tooma quote a decision from the NSW Land and Environment Court to establish what due diligence means in the model Work Health and Safety legislation. Their point is that, whilst due diligence has been defined in the model WHS Act, the definition closely mirrors the current definition of due diligence in case law. That is, existing environmental case law may serve as a guide to this interpretation for WHS legislation.From the perspective of due diligence engineers trying to reverse engineer the decisions of the Courts, all this is actually quite refreshing. Deconstructing the precautionary principle back to established common law protocols to establish due diligence facilitates a robust pre-event alignment of the laws of nature with the laws of man.

This article first appeared on Sourceable.

When demonstrating due diligence, it’s not just what you know and who you know, it’s what you don’t know that you know.

Donald Rumsfeld’s infamous 2002 quote provoked much discussion: “…as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know…there are also unknown unknowns – the ones we don't know we don't know. It is the latter category that tend to be the difficult ones.”

Rumsfeld’s comment emphasised the importance of unforeseen (and possibly unforeseeable) risks. However, he did not speak about a potential fourth category, the ‘unknown knowns.’

T. E. Lawrence wrote of the ideal military organisation having “perfect 'intelligence,' so that we could plan in certainty.” In practice, this is essentially impossible. An executive’s difficulty in knowing what is happening throughout their organisation increases exponentially with the organisation’s size. This gives rise to many well-known and resented management frameworks, including risk and quality systems, communication protocols, timesheets, and so on.

A heuristic technique known as the Johari Window considers the intersection of a person’s state of knowledge with that of their surrounding community. Adapting this to a organisation’s executive’s point of view gives the following Rumsfeldian categories:

These ‘unknown knowns,’ or blind spots, may take a range of forms, including different solutions implemented in different departments for similar problems. At best this is inefficient, and at worst it may demonstrate that, in the case of something going badly wrong, the organisation had a different and clearly reasonable way to address the issue but failed to do so. In this way, recognised good practice may be known and understood within an organisation but not communicated to those who would fund its implementation. A situation may occur in which something goes wrong and good practice measures could have prevented it. This leaves organisations (and relevant managers) open to charges of negligence.

Blind spots may also manifest in the form of operations teams using workarounds to bypass inefficient or perceived low value systems imposed by management. These may arise from benevolent or benign intentions, but can also involve the deliberate flouting of rules or laws, as seen in the recurring ‘rogue financial trader’ scandals.

These scenarios occur again and again in large organisations, and regularly appear in high-profile crisis management media stories. A prominent recent case is Volkswagen’s 2015 diesel emissions controversy. Volkswagen’s CEO admitted that from 2009 to 2014 up to eleven million of its diesel cars (including 91,000 in Australia) had deliberate “defeat” software installed.

This software reduces engine emissions (and hence performance) when it detects the vehicle is undergoing regulatory emissions testing such as that conducted by the United States Environmental Protection Agency (EPA). During normal driving, the software increases vehicle performance (and emissions.) This approach was used to have vehicles approved by US EPA regulators while still marketing the cars as high performance vehicles.

Following the admission, Volkswagen suspended sales of some models and stated that it had set aside 6.5 billion euros to deal with the issue and its fallout. The CEO resigned, and a new chair was elected to the supervisory board. Dozens of lawsuits have since been filed against the company, including a US$61 billion suit from the US Department of Justice.

One investigation into this matter noted sociologist Diane Vaughan’s investigation into the 1986 Challenger space shuttle disaster, citing her concept of “normalisation of deviance.” The investigation stated that, rather than explicit or implicit executive direction to game the emissions testing regime, “…it’s more likely that the scandal is the product of an engineering organisation that evolved its technologies in a way that subtly and stealthily, even organically, subverted the rules.”

This can occur through ongoing ‘tweaking’ by system engineers, with no single change considered enough to break ‘the rules’ but with the accumulation over time enough to go past approved limits. Workforce turnover obviously plays a role in this, with the gradually evolving status quo more likely to be accepted than challenged by each new employee. The Volkswagen board chairman’s statement that “we are talking here not about a one-off mistake but a chain of errors” supports this view, with the German investigation’s chief prosecutor subsequently stating that “no former or current board members” were under investigation.

In almost all of these scenarios, it is eventually found that someone, somewhere in the organisation, was aware of the issue and had misgivings about the organisation’s course of action. And when this knowledge becomes public, it often does serious damage to the organisation's reputation.

One approach to tease out these often complex and hidden views, decisions and knowledge is through the ‘generative interview’ technique. This is based on British psychologist James Reason’s classifications of organisational culture. These run on a spectrum from pathological, through bureaucratic, to generative. These classifications signify a range of organisational cultural characteristics. Three key indicators for executive blind spots relate to failure and new ideas; their response to failure, their response to new ideas, and their attitude to issues within the organisation.

Pathological organisations punish failure (motivating employees to conceal it), actively discourage new ideas, and don’t want to know about issues. Bureaucratic organisations provide local fixes for failures, think that new ideas often present problems, and may find out about organisational issues if staff persist in speaking out. Generative organisations implement far-reaching reforms to address failures, welcome new ideas, and actively seek to find issues.

Generative interviews adopt a communication approach with characteristics of a generative organisational culture. They aim to gain the insight of ‘good players’ at a range of levels within an organisation. They are conducted in the spirit of enquiry rather than audit. That is, they are used to look for views, ideas and solutions rather than just for problems or non-conformances, but they listen carefully to issues raised. If an interesting idea or view is common to multiple levels of an organisation, this indicates that it should be further investigated.

When trying to demonstrate diligence in executive decision-making, this harnessing of knowledge at all levels of the organisation is critical. Without it, senior decision-makers may overlook well-known critical issues, and reasonable precautions may be missed. In a post-event investigation, it is difficult to demonstrate diligence if someone within the organisation knew about what could have gone wrong or how to prevent it but could not communicate this to those with the power to address it.

This approach is not a panacea for identifying issues faced by an organisation. However, it helps executives focus on, identify and address their organisational blind spots. In this manner it helps answer a key aspect of due diligence in decision-making: what are our unknown knowns?

This article first appeared on Sourceable.

According to the Australian Energy Regulator (AER), unexpected events that lead to substantial overspend by owners of poles and wires is capped to 30 per cent.

The rest can be transferred through to the consumer. That is, it does not have to be budgeted for.

Quoting the AER:

"Where an unexpected event leads to an overspend of the capex amount approved in this determination as part of total revenue, a service provider will be only required to bear 30% of this cost if the expenditure is found to be prudent and efficient. For these reasons, in the event that the approved total revenue underestimates the total capex required, we do not consider that this should lead to undue safety or reliability issues."

This has the immediate effect of making poles and wires a valuable saleable asset as the full cost of risk associated with large, rare events like the 2009 Black Saturday bushfires in Victoria does not need to be included in the valuation. For example, the recent, cumulative $1 billion payout in Victoria has relatively little effect on the profit outcomes for the owner. It also means that the commercial incentive to test for further reasonably practicable precautions to address such events is greatly reduced.

This is inconsistent with accepted probity and governance principles. Ordinarily, all persons (natural or otherwise) are required to be responsible and accountable for their own negligence. At least this is the policy position adopted by responsible organisations like Engineers Australia. Their position requires members to practice within their area of competence and have appropriate professional indemnity insurances to protect their clients. The point is that owners and operators should be accountable for negligence, which the commercial imperative desires to abrogate.

In the case of the Black Saturday bush fires for example, this governance failure has been practically addressed by our customary backstop, the legal system, in the form of the common law claims made by affected parties, and the outcomes of the Bushfire Royal Commission and the flow on work by the Powerline Bushfire Safety Taskforce and the continuing Powerline Bushfire Safety Program.

Particularly, the use of Rapid Earth Fault Current Limiting (REFCL) devices (aka Petersen coils or Ground Fault Neutralisers) on 22-kilovolt lines has been demonstrated to have very significant ability to prevent bushfire starts from single phase grounding faults, faults which the Royal Commission found to be responsible for a significant number of the devastating black Saturday fires. A program to install these in rural Victoria at a preliminary cost of around $500 million appears inevitable, but under the current regulatory regime this cost will be (mostly) passed to the consumer. It is a sad reflection that it takes the death of 173 people to get the worth of such precautions tested and established as being reasonable.

Our Parliaments have seemingly addressed this in a convoluted manner by implementing the model Work Health and Safety laws in all jurisdictions (presently excepting Victoria and Western Australia). This makes officers (directors et al) personally liable for systemic organisational safety recklessness (cases where the officers knew or made or let hazardous occurrences happen) providing for up to five years jail and $600,000 in personal fines. In Queensland, it’s also a criminal matter. There have not been any test cases to date so the effectiveness of this legislation has not been evaluated.

From an engineering perspective, the exclusion of the cost implications of big rare events from the valuation of assets means irrational decisions with regards to the safe operation will inevitably occur and that the community will periodically suffer as a result.

This article first appeared on Sourceable.

The Engineers Australia Safety Case Guideline (3rd Edition) is presently being reviewed by Engineers Australia legal counsel.

It is expected to be released by the Risk Engineering Society through Engineers Australia Media in early 2014.

This third edition of the Safety Case Guideline considers how a safety case argument can be used as a tool to positively demonstrate safety due diligence consistent with the model Work Health and Safety (WHS) legislation (Work Safe Australia 2011) and the Rail Safety National law amongst others, and to provide general information concerning the concepts and applications of risk theory to safety case arguments.

The Guideline adopts a precautionary approach to demonstrating safety due diligence, meaning that safety risk should be eliminated or reduced so far as is reasonably practicable (SFAIRP) rather than reducing risk to as low as is reasonably practicable (ALARP) as encouraged by numerous Australian and international standards and regularly used by many Australian engineers. The Guideline emphasises that attempting to equate SFAIRP and ALARP is naively courageous and will not survive post-event judicial scrutiny.

The expected adoption of the Guideline represents the intellectual tipping point in the technical management of safety risk, at least in Australia, since a guideline or code of practice published by practitioners in their area of competence takes legal precedence over an industry-based standard unless that standard is called-up by statute or regulation. The call-up of a standard in legislation is frowned upon by parliamentary counsel since it derogates the power of parliament to unelected standards committees rather defeating the purpose of a parliamentary democracy. Advice is that under the new safety legislation the hierarchy is now:

In a discussion of the legal status of standards, Minter Ellison partner Paul Wentworth concluded that "Engineers should remember that in the eyes of the courts, in the absence of any legislative or contractual requirement, an Australian Standard amounts only to an expert opinion about usual or recommended practice. Also, that in the performance of any design, reliance on an Australian Standard does not relieve an engineer from the duty to exercise his or her own skill and expertise."

Previously, due diligence meant compliance with the laws of man. The Guideline emphasises that to be safe in reality (meaning an absence of harm), one must first manage the laws of nature rather than the laws of man. Safety due diligence therefore requires a positive demonstration of the alignment of the laws of nature with the laws of man, in that order.

This is quite different to demonstrating due diligence in the finance world. Money isn’t real. That is, it does not exist in a state of nature, for example, it does not grow on trees and therefore the laws of nature don’t directly apply to it. This means that in the financial world, due diligence will probably continue to be considered the same as compliance. Equating due diligence with compliance is an approach many audit committees pursue with regard to safety risk but which is now effectively prohibited by statute law in most Australian jurisdictions.

This article first appeared on Sourceable (no longer available).

Australian parliaments – supported by decisions of the High Court – have been encouraging the adoption of due diligence as a general concept to be applied throughout Australian society.

For example, due diligence in legislation is now called up by the Corporations Act (Cth) legislation, environmental legislation (e.g. NSW and Vic), model WHS legislation and Rail Safety National law etc.

In addition, earlier decisions of the High Court have been endorsed the idea. For example, the judges of the High Court unanimously agreed with the NSW Court of Appeal in 1980 [1] that due diligence as called up in the Hague Rules (to which Australia is a signatory) meant due care against negligence.

Due diligence is a legal concept. It represents an aspect of moral philosophy, that is, how the world ought to be and how humanity should behave in order to bring this about.

In practice, it seems to be an implementation of the ethic of reciprocity, often referred to as the Golden Rule in most philosophies and religions. Essentially, this means treat others as you would expect to be treated by them, or, do unto others as you would have done unto you. At least, that is what Lord Atkin indicated in Donaghue vs Stevenson (1932) [2].

In court this seems to be often tested (with the benefit of hindsight) in the form of the reasonable man test, meaning what would a reasonable man have done in the same circumstances. This is a complex idea as an American law professor notes [3]:

"The reasonable person is not any particular person or an average person… The reasonable person looks before he leaps, never pets a strange dog, waits for the airplane to come to a complete stop at the gate before unbuckling his seatbelt, and otherwise engages in the type of cautious conduct that annoys the rest of us… “This excellent but odious character stands like a monument in our courts of justice, vainly appealing to his fellow citizens to order their lives after his own example."

Much of all this is summarised in the Engineers Australia Safety Case Guideline (3rd edition), which is being launched at the National Convention in Melbourne this month. But what does all this mean and where are we heading, at least as engineers?

As something of an intellectual exercise, an attempt to apply the anticipated requirements (the logical consequence set) of recent Australian legislation and the common law decisions to date as they might be applied to global warming was presented last month by the authors at the NSW Regional Engineers Sustainability conference in Wollongong [4].

Our courts and parliaments require that, when it comes to the examination of human harm post event, all reasonable practicable precautions are demonstrated as being in place at the time decisions were made. To achieve this requires a number of steps.

The key steps for a due diligence argument are:

• A completeness argument as to why all key plausible critical issues were identified
• Identification of all physically possible precautions for each plausible critical issue
• Identification of which precautions in the circumstances are reasonable, balancing the significance of the risk vs. the effort required to achieve it (cost, difficulty and inconvenience and whatever other conflicting responsibilities the defendant may have).

Based on CSIRO studies, it does seem that the planet is warming. Whether this is entirely due to human activity (greenhouse gas emissions) or natural forces is argued extensively, but there does seem to be general agreement that for the 6 billion people on planet Earth, more than two degrees Celsius is problematic. After that, no one’s too sure what might come next. A runaway temperature change that melts the three-kilometre deep Greenland ice sheet [5], for example, will result in a seven metre increase in sea levels, with dire consequences for low lying seaboard cities like Melbourne. This certainly seems a plausible, critical scenario and one that Australian governments should be seen to consider carefully.

Many options are being discussed to address the issue, including controlling carbon emissions, which has proved politically difficult and - if the planet is naturally warming - ineffective. A recent remarkable claim by Lockheed Martin’s “Skunkworks” that fusion energy is only five years [6] away would certainly address this.

There are, however, a number of other, apparently viable precautions of differing costs and effectiveness. The Krakatoa explosion [7] of 1883 apparently cooled the planet by about 1.2o degrees Celsius for a year as a result of the increased albedo effect (reflecting sunlight back in to space). We don’t yet seem to be able to predict such events in advance, so cooling the planet by that means would seem to more a matter of good luck than good governance.

Such precautions can be summarised in a threat-barrier diagram (TBD):

Central to a TBD is the loss of control (LoC) point. This is the point at which the laws of nature and man align. Legally, precautions act before the LoC whilst mitigations act after it.

There are a number of possible options available that would achieve a similar effect to a Krakatoa 1883 explosion, including pumping moisture into the air [8] to produce more reflective white clouds.

Sun shields such as the La Grangian L1 point between the Earth and the sun [9] would be effective too. Another method, possibly the cheapest and most effective of the lot, seems to be the fertilisation of the Southern Ocean [10] to create carbon absorbing algal blooms which would both cool the planet and act as a carbon sink, thereby de-acidifying the oceans.

According to Treasury [11], the Victorian desalination plant has presently cost the Victorian taxpayer $5.7 billion despite the fact that no water has been purchased. The reason for the plant's construction seems to based on a due diligence argument.

At the time of the decision, much of Australia had experienced a 10-year drought. If this had continued for another 10 years, the possibility of a major Australian population centre running out of water was deemed quite plausible. As state cabinet had the means within its power to ensure that this could not happen, it was done, even if it more likely than not will never be needed.

$5.7 billion is a lot of money. Many of the ideas mentioned to address global warming apparently could be implemented for such a sum. If so, it would appear to be within the power of the Victorian parliament and society to prevent a plausible catastrophic flooding of Melbourne due to runaway global warming.

Provided the science and numbers are right (and it is crucial that this be verified and validated), a perpetuation of the due diligence approach would seem to require the Victorian parliament to investigate and potentially act to protect Melbourne – and incidentally cool the whole planet.

References:

[1] Shipping Corporation of India Ltd. v. Gamlen Chemical Co. A/Asia. Pty. Ltd. [1980] HCA 51; (1980) 147 CLR 142
[2] See http://www.bailii.org/uk/cases/UKHL/1932/100.html viewed 17 July 2013
[3] J M Feinman (2010). Law 101. Everything You Need to Know About American Law. Oxford University Press. Page 159
[4] See http://www.engineersaustralia.org.au/events/nsw-regional-convention-sustainable-regional-engineering
[5] http://en.wikipedia.org/wiki/Greenland_ice_sheet viewed 7nov14
[6] http://www.theaustralian.com.au/news/health-science/lockheed-martin-unveils-miniature-nuclear-fusion-power-generator/story-e6frg8y6-1227092587574?nk=4536f2c5e9e39c3c7dd336b0aae01f5c viewed 7nov14
[7] See http://en.wikipedia.org/wiki/1883_eruption_of_Krakatoa viewed 7nov14.
[8] See http://en.wikipedia.org/wiki/File:SPICE_TESTBED_-_DEPLOYED_POSITION.jpg#filehistory viewed 7nov14, for an example.
[9] http://en.wikipedia.org/wiki/Space_sunshade viewed 7nov14.
[10] http://en.wikipedia.org/wiki/Ocean_fertilization and http://www.acecrc.org.au/Research/Ocean%20Fertilisation and http://marineecology.wcp.muohio.edu/climate_projects_04/productivity/web/ironfert.html viewed 3nov14
[11] http://www.dtf.vic.gov.au/Infrastructure-Delivery/Public-private-partnerships/Projects/Victorian-Desalination-Plant viewed 3nov14.

This article first appeared on Sourceable.

In reality, to be safe means to be free from harm.  In court, safe means that, despite something apparently unsafe having happened, due diligence has been demonstrated. In engineering terms this means that to be safe requires managing the law of nature in a way that is consistent with the laws of man and in that order.At R2A we have developed a set of routinely successful process to positively demonstrate safety due diligence consistent with the requirements of the model Work Health and Safety (WHS) legislation that has commenced in all Australian jurisdictions except, at the time of writing, Western Australia and Victoria.The R2A approach adopts a precautionary common law formulation for the demonstration of due diligence as a defence against negligence namely:

• A completeness argument as to why all credible critical safety issues to all affected parties have been identified
• A argument as to why all practicable precautions for each credible critical issue has been identified.
• An argument as to which practicable precautions are reasonable consistent with decisions of the High Court of Australia, and
• The establishment of a safety quality assurance regime to confirm that all reasonable practicable precautions are maintained on an ongoing basis

This approach does not mean that bad things cant happen. It means (assuming the activity is not prohibitively dangerous such that it should not occur at all) that all reasonable practicable precautions for all foreseeable, critical hazards to all affected parties are in place, based on the balance of the significance of the risk vs the effort required to reduce it. This also means that risks should be eliminated or minimized so far as reasonable practicable.Such a position, based around the test of reasonably practicability arguable at a common law balance (the 50:50 tipping point), should provide superior safety outcomes for all whilst offering the best protection against criminal charges for responsible officers under the provisions of the model WHS Act.Over the years, R2A has tested this Safety Case approach with various legal counsels when consulting for clients. We recommend that readers do so with their own legal counsel before adopting this approach.